Writing data with Logstash

Estimated time to read: 5 minutes

Acquisition notice

In October 2022, ServiceNow acquired Era Software. The documentation on this site is no longer maintained and is intended for existing Era Software users only.

To get the latest information about ServiceNow's observability solutions, visit their website and documentation.

This page shows how to use Logstash to write data to EraSearch. In this guide, you'll:

Use Logstash to collect data about specific files.
Configure Logstash to write the data to EraSearch.
View the data in EraSearch.

While the steps below use log data stored in files, you can customize the setup to use any Logstash input plugin, including Elastic Beats, AWS Kinesis, Kafka, and more.

Before you begin¶

This content is intended for engineers and developers using EraSearch on EraCloud or self-hosted EraSearch:

If you're using EraSearch on EraCloud, you need your service URI and API key. To get started with EraSearch on EraCloud, set up an account.
If you're using self-hosted EraSearch, you need your EraSearch URL. If you also set up EraSearch RBAC, you need an API key for writing and reading data.

To get started with self-hosted EraSearch, contact us at Era Software.

This guide also assumes you've installed Logstash.

Instructions¶

Step 1: Configure the Logstash file input¶

Logstash's file input plugin tails files, emitting one log message per file line. Follow these steps to set it up:

Open or create your Logstash configuration file, for example, logstash.conf.

Paste this content in the file:

input {
  file {
    path => "YOUR_FILE_PATH"
  }
}

Replace YOUR_FILE_PATH with the path to the file you want to monitor.

Step 2: Configure the EraSearch output plugin¶

EraSearch on EraCloudSelf-hosted EraSearch

To configure Logstash to send data to EraSearch, paste the content below into your Logstash configuration file, replacing:

YOUR_SERVICE_URI with your EraCloud service URI.
YOUR_INDEX_NAME with the target EraSearch index -- EraSearch creates the index for you.
YOUR_API_KEY with your EraCloud API key.

output {
  elasticsearch {
    hosts => "YOUR_SERVICE_URI:443"
    index => "YOUR_INDEX_NAME"

    custom_headers => {
        "Authorization" => "Bearer YOUR_API_KEY"
    }
  }
}

To configure Logstash to send data to EraSearch, paste the content below into your Logstash configuration file, replacing:

YOUR_ERASEARCH_URL with your EraSearch URL.

Example: http://localhost:9200.
YOUR_INDEX_NAME with the target EraSearch index -- EraSearch creates the index for you.
YOUR_API_KEY with your EraSearch RBAC API key. If you're not using RBAC, remove the custom_headers section from the file.

output {
  elasticsearch {
    hosts => "YOUR_ERASEARCH_URL"
    index => "YOUR_INDEX_NAME"

    custom_headers => {
        "Authorization" => "Bearer YOUR_API_KEY"
    }

    # Uncomment the following line if you're using SSL.
    # ssl => true
  }
}

Note

The configuration above uses the Elasticsearch output plugin to let Logstash work with EraSearch. That workflow is possible because the EraSearch REST API supports much of the Elasticsearch API.

Step 3: Start Logstash and confirm your configuration¶

Start Logstash with the relevant command. When Logstash loads the file input and elasticsearch output, it shows output like this:

[INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"7.16.2", "jruby.version"=>"jruby 9.2.20.1 (2.5.8) 2021-11-30 2a2962fbd1 OpenJDK 64-Bit Server VM 11.0.13+8 on 11.0.13+8 +indy +jit [linux-aarch64]"}
[...]
[INFO ][logstash.outputs.elasticsearch][main] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["YOUR_ERASEARCH_URL"]}
[INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[INFO ][filewatch.observingtail  ][main][XXXX] START, creating Discoverer, Watch with file and sincedb collections

With Logstash started, you'll begin to see lines from the file in EraSearch.

Note

To generate some data for Logstash to send, use this command to write text to the file you configured above:

$ echo "Hello, EraSearch!" >> YOUR_FILE_PATH

Step 4: View your data EraSearch¶

EraSearch on EraCloudSelf-hosted EraSearch

Access EraSearch's UI by visiting your EraCloud account and clicking . Your data is in the index you specified above. You may need to refresh the UI if the index is new.

Use the EraSearch REST API to query the data in EraSearch. Paste the command below in your terminal, replacing:

YOUR_ERASEARCH_URL with your EraSearch URL.

Example: http://localhost:9200.
YOUR_INDEX_NAME with the EraSearch index you specified above.
YOUR_API_KEY with your EraSearch RBAC API key. If you're not using RBAC, remove \ -H 'Authorization: Bearer YOUR_API_KEY' from the command.

$ curl 'YOUR_ERASEARCH_URL/YOUR_INDEX_NAME/_search?q=_lid:*' \
  -H 'Authorization: Bearer YOUR_API_KEY'

The response shows information about your data and API request, including:

took - The time, in milliseconds, EraSearch took to serve the query request.
_id - A unique, auto-generated numerical identifier for documents.

Next steps¶

You're all set! You're now using Logstash to send log data to your EraSearch instance. For more information about Logstash, visit these pages:

Logstash documentation
Logstash's Input reference
Logstash's Elasticsearch Output reference

For other ways to get data into your database, visit the write-integrations reference. To learn more about exploring, querying, and visualizing your data in EraSearch, visit these pages:

Alerting with Slack (for EraCloud users only)
Connecting EraSearch to Grafana
Exploring data in EraSearch's UI (for EraCloud users only)
Explore-integrations reference

Last update: August 7, 2023